SB15-152: Vulnerability Summary for the Week of May 25, 2015

Original release date: June 01, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apple — iphone_os CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2) a WhatsApp message. 2015-05-27 7.8 CVE-2015-1157
MISC
MISC
MISC
MISC
MISC
MISC
MISC
arubanetworks — clearpass_policy_manager Aruba Networks ClearPass Policy Manager (CPPM) before 6.5.0 allows remote administrators to execute arbitrary code via unspecified vectors. 2015-05-28 9.0 CVE-2014-6628
CONFIRM
arubanetworks — clearpass_policy_manager Directory traversal vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote administrators to execute arbitrary files via unspecified vectors. 2015-05-28 9.0 CVE-2015-1550
CONFIRM
bomgar — remote_support Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts. 2015-05-25 7.5 CVE-2015-0935
CERT-VN
cisco — telepresence_tc_software Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via unspecified vectors, aka Bug ID CSCub67651. 2015-05-24 8.3 CVE-2014-2174
CISCO
cisco — telepresence_advanced_media_gateway The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software before 4.4(3.54) and 4.5 before 4.5(1.45), Cisco TelePresence MSE Supervisor Software before 2.3(1.38), Cisco TelePresence Serial Gateway Series Software before 1.0(1.42), Cisco TelePresence Server Software for Hardware before 3.1(1.98), and Cisco TelePresence Server Software for Virtual Machine before 4.1(1.79) allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors, aka Bug IDs CSCul55968, CSCur08993, CSCur15803, CSCur15807, CSCur15825, CSCur15832, CSCur15842, CSCur15850, and CSCur15855. 2015-05-24 9.0 CVE-2015-0713
CISCO
cisco — telepresence_tc_software The network drivers in Cisco TelePresence T, Cisco TelePresence TE, and Cisco TelePresence TC before 7.3.2 allow remote attackers to cause a denial of service (process restart or device reload) via a flood of crafted IP packets, aka Bug ID CSCuj68952. 2015-05-24 7.8 CVE-2015-0722
CISCO
h-fj — mt-phpincgi mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does not properly restrict URLs, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted request, as exploited in the wild in May 2015. 2015-05-25 7.5 CVE-2015-2945
CONFIRM
JVNDB
JVN
hp — loadrunner Buffer overflow in HP LoadRunner 11.52 allows remote attackers to execute arbitrary code via unspecified vectors. 2015-05-25 10.0 CVE-2015-2110
HP
hp — sitescope Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567. 2015-05-25 8.7 CVE-2015-2120
HP
hp — network_virtualization HP Network Virtualization for LoadRunner and Performance Center 8.61 and 11.52 allows remote attackers to read arbitrary files via a crafted filename in a URL to the (1) HttpServlet or (2) NetworkEditorController component, aka ZDI-CAN-2569. 2015-05-25 7.8 CVE-2015-2121
HP
MISC
hp — sdn_van_controller The REST layer on HP SDN VAN Controller devices 2.5 and earlier allows remote attackers to cause a denial of service via network traffic to the REST port. 2015-05-25 7.8 CVE-2015-2122
HP
hp — nonstop_safeguard_security Unspecified vulnerability in HP NonStop Safeguard Security Software H06.x, L15.02, and J06.x before J06.19 allows remote authenticated users to gain privileges by leveraging Expand access. 2015-05-25 9.0 CVE-2015-2123
HP
ibm — tivoli_storage_manager_fastback Buffer overflow in the FastBackMount process in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.11.1 has unspecified impact and remote attack vectors. 2015-05-25 7.5 CVE-2015-0120
CONFIRM
ibm — security_siteprotector_system IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to execute arbitrary commands with SYSTEM privileges via unspecified vectors. 2015-05-25 9.0 CVE-2015-0160
CONFIRM
ibm — tivoli_storage_manager_fastback Stack-based buffer overflow in the FastBackMount process in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.11.1 allows remote attackers to execute arbitrary code via unspecified vectors. 2015-05-24 10.0 CVE-2015-1896
CONFIRM
ibm — websphere_portal IBM WebSphere Portal 8.5 through CF05 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. 2015-05-24 7.8 CVE-2015-1899
CONFIRM
AIXAPAR
icu_project — international_components_for_unicode The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text. 2015-05-25 7.5 CVE-2014-8146
CERT-VN
MISC
MLIST
CONFIRM
icu_project — international_components_for_unicode The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text. 2015-05-25 7.5 CVE-2014-8147
CERT-VN
MISC
MLIST
CONFIRM
linux — linux_kernel The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket. 2015-05-27 9.3 CVE-2015-3331
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
moxa — vport_activex_sdk_plus Multiple stack-based buffer overflows in Moxa VPort ActiveX SDK Plus before 2.8 allow remote attackers to insert assembly-code lines via vectors involving a regkey (1) set or (2) get command. 2015-05-26 7.5 CVE-2015-0986
MISC
CONFIRM
reflex_gallery_project — reflex_gallery Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory. 2015-05-28 7.5 CVE-2015-4133
CONFIRM
EXPLOIT-DB
MISC
MISC
MISC
OSVDB
sap — sap_netweaver_application_server_java XML external entity (XXE) vulnerability in SAP NetWeaver AS Java allows remote attackers to send TCP requests to intranet servers or possibly have other unspecified impact via an XML request, related to “CIM UPLOAD,” aka SAP Security Note 2090851. 2015-05-26 7.5 CVE-2015-4091
MISC
sap — afaria Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690. 2015-05-26 7.5 CVE-2015-4092
MISC
wireshark — wireshark The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not reject a zero length, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. 2015-05-26 7.8 CVE-2015-3808
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not properly track the current offset, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. 2015-05-26 7.8 CVE-2015-3809
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark epan/dissectors/packet-websocket.c in the WebSocket dissector in Wireshark 1.12.x before 1.12.5 uses a recursive algorithm, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted packet. 2015-05-26 7.8 CVE-2015-3810
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark Multiple memory leaks in the x11_init_protocol function in epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to cause a denial of service (memory consumption) via a crafted packet. 2015-05-26 7.8 CVE-2015-3812
CONFIRM
CONFIRM
CONFIRM

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
arubanetworks — clearpass_policy_manager Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action. 2015-05-28 4.3 CVE-2015-1389
MISC
CONFIRM
FULLDISC
arubanetworks — clearpass_policy_manager Multiple SQL injection vulnerabilities in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allow remote administrators to execute arbitrary SQL commands via unspecified vectors. 2015-05-28 6.5 CVE-2015-1392
CONFIRM
arubanetworks — clearpass_policy_manager Directory traversal vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.4 allows remote administrators to read arbitrary files via unspecified vectors. 2015-05-28 4.0 CVE-2015-1551
CONFIRM
barracuda — web_filter Barracuda Web Filter before 8.1.0.005, when SSL Inspection is enabled, does not verify X.509 certificates from upstream SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2015-05-25 4.3 CVE-2015-0961
CERT-VN
CONFIRM
CONFIRM
CONFIRM
barracuda — web_filter Barracuda Web Filter 7.x and 8.x before 8.1.0.005, when SSL Inspection is enabled, uses the same root Certification Authority certificate across different customers’ installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate’s trust relationship. 2015-05-25 4.3 CVE-2015-0962
CERT-VN
CONFIRM
CONFIRM
CONFIRM
church_admin_project — church_admin Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/. 2015-05-28 4.3 CVE-2015-4127
CONFIRM
EXPLOIT-DB
OSVDB
MISC
cisco — hosted_collaboration_solution The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786. 2015-05-22 6.5 CVE-2015-0750
CISCO
coppermine-gallery — coppermine_photo_gallery Open redirect vulnerability in mode.php in Coppermine Photo Gallery before 1.5.36 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter. 2015-05-27 5.8 CVE-2015-3922
MISC
CONFIRM
emc — document_sciences_xpression SQL injection vulnerability in the xAdmin interface in EMC Document Sciences xPression 4.2 before P44 and 4.5 SP1 before P03 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 2015-05-25 6.5 CVE-2015-0540
BUGTRAQ
emerson — ams_device_manager SQL injection vulnerability in Emerson AMS Device Manager before 13 allows remote authenticated users to gain privileges via malformed input. 2015-05-25 6.5 CVE-2015-1008
MISC
CONFIRM
free-counter — free_counter Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php. 2015-05-28 4.3 CVE-2015-4084
BUGTRAQ
gigpress_project — gigpress Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add action in the gigpress.php page to wp-admin/admin.php. 2015-05-27 6.5 CVE-2015-4066
CONFIRM
EXPLOIT-DB
BID
MISC
hp — access_control Unspecified vulnerability in the Secure Pull Print and Security Pull Print components in HP Access Control (AC) Software 12.x through 14.x before 14.1.2 allows remote authenticated users to obtain sensitive information via unknown vectors. 2015-05-25 4.0 CVE-2015-2118
HP
ibm — endpoint_manager_family Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 allows remote attackers to hijack the authentication of arbitrary users via vectors involving a FRAME element. 2015-05-25 6.8 CVE-2014-4774
CONFIRM
ibm — endpoint_manager_family IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 do not send an X-Frame-Options HTTP header in response to requests for the login page, which allows remote attackers to conduct clickjacking attacks via vectors involving a FRAME element. 2015-05-25 4.3 CVE-2014-4778
CONFIRM
ibm — workload_deployer The log viewer in IBM Workload Deployer 3.1 before 3.1.0.7 allows remote attackers to obtain sensitive information via a direct request for the URL of a log document. 2015-05-25 5.0 CVE-2014-6190
CONFIRM
ibm — endpoint_manager_family Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for Software Use Analysis 9; and Tivoli Asset Discovery for Distributed 7.2.2 and 7.5 allows remote attackers to cause a denial of service (CPU consumption or application crash) via a crafted XML query, a different vulnerability than CVE-2014-8927. 2015-05-25 5.0 CVE-2014-8926
CONFIRM
ibm — endpoint_manager_family Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for Software Use Analysis 9; and Tivoli Asset Discovery for Distributed 7.2.2 and 7.5 allows remote attackers to cause a denial of service (CPU consumption or application crash) via a crafted XML query, a different vulnerability than CVE-2014-8926. 2015-05-25 5.0 CVE-2014-8927
CONFIRM
ibm — spss_statistics An unspecified ActiveX control in IBM SPSS Statistics 22.0 through FP1 on 32-bit platforms allows remote attackers to execute arbitrary code via a crafted HTML document. 2015-05-25 6.8 CVE-2015-0140
CONFIRM
ibm — security_siteprotector_system SQL injection vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 2015-05-25 6.5 CVE-2015-0161
CONFIRM
ibm — security_siteprotector_system IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to inject arguments via unspecified vectors. 2015-05-25 4.0 CVE-2015-0169
CONFIRM
ibm — security_siteprotector_system Directory traversal vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to write to arbitrary files via unspecified vectors. 2015-05-25 5.5 CVE-2015-0171
CONFIRM
ibm — infosphere_information_server The Connector Migration Tool in IBM InfoSphere Information Server 8.1 through 11.3 allows remote authenticated users to bypass intended restrictions on job creation and modification via unspecified vectors. 2015-05-25 5.5 CVE-2015-0180
CONFIRM
AIXAPAR
ibm — optim_workload_replay Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. 2015-05-24 6.8 CVE-2015-1894
CONFIRM
ibm — optim_workload_replay IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 relies on client-side code to verify authorization, which allows remote attackers to bypass intended access restrictions by modifying the client behavior. 2015-05-24 5.0 CVE-2015-1895
CONFIRM
ibm — infosphere_master_data_management_server The XML parser in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, 11.3, and 11.4 before FP2 allows remote attackers to read arbitrary files, and consequently obtain administrative access, via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 2015-05-24 5.0 CVE-2015-1909
CONFIRM
ibm — sterling_field_sales Cross-site scripting (XSS) vulnerability in Sterling Order Management 8.5 before HF113, Sterling Selling and Fulfillment Foundation 9.0.0 before FP92, and Sterling Field Sales (SFS) 9.0 before HF7 in IBM Sterling Selling and Fulfillment Suite allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2015-05-24 4.3 CVE-2015-1911
CONFIRM
ibm — endpoint_manager_family The Endpoint Manager for Remote Control component in IBM Tivoli Endpoint Manager for Lifecycle Management 9.0.1 before IF6 and 9.1.0 before IF6 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. 2015-05-24 4.3 CVE-2015-1915
CONFIRM
AIXAPAR
ibm — websphere_portal Open redirect vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF17 and 8.5.0 before CF06 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. 2015-05-24 6.4 CVE-2015-1921
CONFIRM
AIXAPAR
landing_pages_project — landing_pages SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php. 2015-05-27 6.5 CVE-2015-4064
CONFIRM
EXPLOIT-DB
BID
MISC
linux — linux_kernel The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit. 2015-05-27 6.9 CVE-2014-9710
CONFIRM
CONFIRM
MLIST
CONFIRM
linux — linux_kernel include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. 2015-05-27 4.9 CVE-2014-9715
CONFIRM
CONFIRM
MLIST
CONFIRM
MLIST
CONFIRM
linux — linux_kernel Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd. 2015-05-27 6.9 CVE-2015-2666
CONFIRM
CONFIRM
MLIST
CONFIRM
linux — linux_kernel A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds. 2015-05-27 4.9 CVE-2015-3332
CONFIRM
CONFIRM
MLIST
MLIST
linux — linux_kernel Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped. 2015-05-27 6.2 CVE-2015-3339
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
mit — kerberos The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client’s request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c. 2015-05-25 5.8 CVE-2015-2694
CONFIRM
CONFIRM
newstatpress_project — newstatpress SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php. 2015-05-27 6.5 CVE-2015-4062
CONFIRM
EXPLOIT-DB
BID
MISC
ocf — sxf_common_library Stack-based buffer overflow in the Open CAD Format Council SXF common library before 3.30 allows remote attackers to execute arbitrary code via a crafted CAD file. 2015-05-25 6.8 CVE-2015-2946
CONFIRM
JVNDB
JVN
CONFIRM
osisoft — pi_server OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements. 2015-05-25 6.5 CVE-2015-1013
MISC
CONFIRM
phpmyadmin — phpmyadmin Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. 2015-05-26 6.8 CVE-2015-3902
CONFIRM
CONFIRM
phpmyadmin — phpmyadmin libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2015-05-26 4.3 CVE-2015-3903
CONFIRM
CONFIRM
phpwind — phpwind Open redirect vulnerability in goto.php in phpwind 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. 2015-05-28 5.8 CVE-2015-4134
MISC
FULLDISC
MISC
phpwind — phpwind Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 allows remote attackers to inject arbitrary web script or HTML via the url parameter. 2015-05-28 4.3 CVE-2015-4135
MISC
FULLDISC
MISC
postgresql — postgresql Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. 2015-05-28 4.3 CVE-2015-3165
UBUNTU
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
DEBIAN
DEBIAN
wireshark — wireshark epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 improperly refers to previously processed bytes, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, a different vulnerability than CVE-2015-2188. 2015-05-26 5.0 CVE-2015-3811
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark The fragment_add_work function in epan/reassemble.c in the packet-reassembly feature in Wireshark 1.12.x before 1.12.5 does not properly determine the defragmentation state in a case of an insufficient snapshot length, which allows remote attackers to cause a denial of service (memory consumption) via a crafted packet. 2015-05-26 5.0 CVE-2015-3813
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark The (1) dissect_tfs_request and (2) dissect_tfs_response functions in epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 interpret a zero value as a length rather than an error condition, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. 2015-05-26 5.0 CVE-2015-3814
CONFIRM
CONFIRM
CONFIRM
wireshark — wireshark The detect_version function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not check the length of the payload, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a packet with a crafted payload, as demonstrated by a length of zero, a different vulnerability than CVE-2015-3906. 2015-05-26 5.0 CVE-2015-3815
CONFIRM
CONFIRM
MISC
CONFIRM
wireshark — wireshark The logcat_dump_text function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not properly handle a lack of termination, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted message in a packet, a different vulnerability than CVE-2015-3815. 2015-05-26 5.0 CVE-2015-3906
CONFIRM
CONFIRM
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
arubanetworks — clearpass_policy_manager Multiple cross-site scripting (XSS) vulnerabilities in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allow remote administrators to inject arbitrary web script or HTML via unspecified vectors. 2015-05-28 3.5 CVE-2015-4132
CONFIRM
coppermine-gallery — coppermine_photo_gallery Cross-site scripting (XSS) vulnerability in contact.php in Coppermine Photo Gallery before 1.5.36 allows remote authenticated users to inject arbitrary web script or HTML via the referer parameter. 2015-05-27 3.5 CVE-2015-3921
MISC
CONFIRM
ibm — curam_social_program_management Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix10, 6.0.5 before 6.0.5.6, and 6.0.5.5a before 6.0.5.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2015-05-25 3.5 CVE-2014-6192
CONFIRM
ibm — business_process_manager Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.6.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2015-05-25 3.5 CVE-2015-0156
CONFIRM
AIXAPAR
AIXAPAR
ibm — security_siteprotector_system Cross-site scripting (XSS) vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 2015-05-25 3.5 CVE-2015-0168
CONFIRM
ibm — security_siteprotector_system IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows local users to obtain sensitive information by reading cached data. 2015-05-25 2.1 CVE-2015-0170
CONFIRM
ibm — infosphere_master_data_management_server Cross-site scripting (XSS) vulnerability in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, and 11.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2015-05-24 3.5 CVE-2015-1910
CONFIRM
landing_pages_project — landing_pages Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php. 2015-05-27 3.5 CVE-2015-4065
CONFIRM
EXPLOIT-DB
BID
MISC
linux — linux_kernel arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. 2015-05-27 1.9 CVE-2015-2830
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
linux — linux_kernel The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. 2015-05-27 3.3 CVE-2015-2922
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
newstatpress_project — newstatpress Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php. 2015-05-27 3.5 CVE-2015-4063
CONFIRM
EXPLOIT-DB
BID
MISC

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit

Just last month we talked about how the “Unicode of Death” crashes your iPhones and Apple Watches, how easily Apple Safari can be manipulated via URL-Spoofing and the Ex-NSA guy who pointed to Mac security flaws.

Now Pedro Vilaca, a security expert who is deep into Mac OS X and iOS security, found another not so great looking vulnerability. Take a look at what he wrote on his blog: “Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#.

And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”

Wow. So basically it is possible to install a rootkit on a Mac without much of an effort. Just wait until the machine enters sleep mode for at least 30 seconds or more so the Flash locks are removed. Once gone the device is yours. With the Flash locks gone you can play around with the UEFI code and well … for example install a rootkit. The only way to protect yourself from it is to never let your Apple device go into sleep mode.

Luckily not all devices seem to be affected. Vilaca tested the issue against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running the latest EFI firmware available. All of them were vulnerable. There is a shimmer of hope though: The latest MacBooks might have been silently fixed by Apple, since the security expert was not able to replicate the vulnerability there.

The post Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit appeared first on Avira Blog.

The Police Virus strikes again! Android systems attacked!

The Spanish Police has warned of the reappearance of the Police Virus for Android.

Here we explain you how can they attack your cell phone, and what can you do to protect it!

android virus police

*** Posted June 2, 2014

A few days ago a new Android malware showed up, Android/Koler.A. It was in the news as it was actually a Police Virus / ransomware attack, similar to the ones we have seen in Windows computers, but this time it was targeting mobile phones.

Although in this case this piece of malware cannot encrypt any of the phone data, it is nasty and it is really difficult to get rid of it (without antivirus for Android), as the warning message is always on top and the user has only a few seconds to try to uninstall it.

While we were studying it, we found a new variant exactly the same as the first one but this one was connecting to a different server, in order to download the proper warning. And this server was still up… It turns out that the cybercriminals made a small mistake configuring it and left the door half-opened  Sadly, we could not get access to all the information there (there was a mysql database with all the payments, infections, etc. that we couldn’t reach ) but still we were able to download some files from the server and take a look at how it works.

I won’t go into details about the mistake they made to leave that door half-opened, as of course we do not want to help them ;)

Unsurprisingly, the way it works from the server side is really similar to the ones targeting Windows and that we have seen in the past: a number of scripts to geolocalize the device and show the message in the local language and with the images of local law enforcement. It saves information from all infected devices in the database and it takes the IMEI number of the mobile phone, adding the MD5 of the malware that is infecting the device. Doing this they can track the number of infections per malware variant and measure the success of their different infection campaigns.

This Trojan is targeting users from 31 different countries from all around the world; 23 of them are Europeans:
Austria, Belgium, Czech Republic, Germany, Denmark, Finland, France, Greece, Hungary, Ireland, Italy, Latvia, Netherlands, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Slovenia, Slovakia and United Kingdom.

Users from these countries are also being targeted: Australia, Bolivia, Canada, Ecuador, Mexico, New Zealand, Turkey and United States of America.

What if you have already been infected?

Well, probably you won’t have an antivirus installed in your phone, which makes the clean up a bit difficult. The “infection” screen will be on top of everything, and this malware also disables the Back key. However the Home button will still work, so you can give it a try, push the Home buttom, go to the App menu and uninstall the malicious app:

Android ransomware

 

The bad news is that you will only have 5 seconds to do this, as the warning screens pops up every 5 seconds. What can you do then? Well, you just need to restart your phone in “safe mode“. Depending on the mobile phone you have, it can be made in different ways. Those running pure Android versions (Nexus, Motorola) only need to go to the shutdown menu and press for a couple of seconds on shutdown, until the following message shows up:

reboot mode

 

Click OK, and once the phone is restarted you can uninstall the malicious app. To go back to normal just restart the phone in the usual way. If you are using a phone with a custom Android version (Samsung, etc.), you can easily use Google to find out how it is done in your device.

We managed to grab the ransom message screens for every country, where you can find a number of known people, such as the Obama (president of the United States), François Hollande (president of France), Queen Elisabeth… It was also funny to see in the US one that they mention Mandiant (the company who showed up how China had in their army a cyber-espionage unit).

The post The Police Virus strikes again! Android systems attacked! appeared first on MediaCenter Panda Security.